VGS Engineering Blog

The latest updates from our developer community

How to Build a Secure Android Mobile Application

Secure mobile development

Android was designed to be open and flexible and has made launching apps extremely accessible across the globe.

Securing such an open platform requires a strong security architecture and rigorous security programs that need continuous maintenance and testing. Fortunately, Android itself provides an app building environment that protects the confidentiality, integrity, and availability of the data, apps, users, devices, and networks involved.

This wide variety of protective measures that Android already has in place mean that much of the security work is already done by default – making life easier for developers with less experience in app security. Even with these default Android security controls in place, however, there are always going to be gaps that can make sensitive data exposure a real possibility.

Let’s walk through some essential security tips that you can follow to make sure that your Android app is keeping your users’ data protected.

What prevents us from building secure applications?#


Sensitive Data Store#

One of the biggest mistakes made by developers when building an application is allowing stored sensitive information to be accessible to other apps.

Sensitive data shouldn’t be stored on the device more than needed and should be immediately deleted when there is no longer a need for it. If you need to store sensitive user data, the storage must be encrypted. To provide additional protection for sensitive data, you can use the Jetpack Security library. Tink is also worth your attention for resolving such issues.

Networking#

Unfortunately, not everyone is aware of the privacy concerns that impact mobile devices, let alone the specific risks encountered when the device performs network transactions.

First of all, make sure that your application doesn’t trust data downloaded from HTTP or other insecure protocols. You should strictly use HTTPS everywhere, because mobile devices frequently connect to insecure networks, such as public Wi-Fi hotspots. Wi-Fi encryption by itself is insufficient protection for most communications on the internet. Don’t trust unknown certificates, use Certificate Pinning, and specify your custom TrustManager. Also, it is highly important to set up your network-security-config file.

Authentication#

A common problem arises when the application lets a user in after entering login or password.

When an application handles sensitive information, it is always better to double-check if the user really has access to the data. We can use one of the trusty authorization protocols (e.g. OAuth 2.0) or reuse existing solutions like Firebase Authentication, One Biometric API, or at least Multi-factor authentication.

User input validation#

It’s possible for developers to miss full validation of the input they receive from users.

At the same time, this is the most common security problem affecting applications, and not only on Android. The application should make sure to use well-structured data formats and verify that the data conforms to the expected format. Additionally, validation by Reg-Ex or blocking specific characters can be bypassed. That’s why these practices should be avoided.

Obfuscation#

Obfuscation raises the barriers to someone decompiling and stealing your code.

It is a really important step, but you shouldn’t rely on it too much because your app can still be hacked. The application binary files can be retrieved and even republished on different sources. In addition, let’s mention removing logs from the application before release. If you don’t, attackers can get sensitive information simply during debugging.

Conclusions#

By following the above tips, you can be much more assured that you’re doing the most you can to keep the user data in your application more secure. Please note that this advice is not a silver bullet – they are all pretty common best practices and may need to be supplemented with additional security controls. Even so, every case requires special discussions and solutions, and you should make sure to ask a security expert before your application goes live with real sensitive user data flowing in and out.

More information for Android app developers can be found on developer.android.com.

author profile
Dmytro Kosolapenko
Dmytro joined VGS in the Autumn of 2019 as an engineer in the mobile department. He gathered Android mobile team which is now working on creating and building out VGS products and custom solutions for Android mobile platform.